Category: Reverse Engineering

Safety third!

Say what you will about globalization and the downfall of the USA, I still like ordering stuff from China. It’s cheap, and it takes so long to get here that I forget I ordered it, so it’s a surprise to me.

Recently, I got a bunch of li-poly battery monitors. These (not surprisingly) monitor li-poly batteries and sound an alarm when the battery voltage gets too low. Overdischarging a li-poly battery can damage the battery fairly quickly, and so may mean you have to buy a new battery. This is far better than overcharging them, which can start a pretty dramatic chemical fire.

The monitors I got are these or something very like them. The ones I have have a button which you can press to set the alarm voltage, with a default of 3.3V/cell.

Like a good hacker, I immediately opened one of them up. It has two ICs, one of which is a Atmel 24C02BN, which is a 2kbit I2C EEPROM. The other is unmarked. I had high hopes that it would be an Atmel part as well, or at least marked, so that I could possibly reflash it with my own firmware.

Having 16 pins counts it out from being any of the ATTiny or ATMega series, as well as any of the 8, 16, or 32-bit PICs. I imagine it’s something like an Elan microcontroller, and probably not super-well documented.

I did also find out that the speakers are simple dumb speakers, not beepers, so the micro generates the audio waveform for them. That means if I want to use the beep as a shut-off signal, I’ll have to do a little filtering, or add a 555 as a pulse stretcher.

Giving up on the Shark Joystick

I’m going to hang on to the parts, but instead of reverse engineering the joystick control scheme for my Dynamic Controls Shark joystick, I’m going to replace the motor driver and everything related to it.

The main reason to give up on this is that it’s not the project I’m doing. The project is “build a mobility platform for fire art” not “reverse engineer a joystick”. Hacking the joystick would have helped with the real project, but it’s also a time sink. For $60, I can get a “100A” motor driver from China. It’s probably not good for 100A, but it will probably work well enough to let me get on with the rest of the project.

I had hoped that the existing motor driver was able to be easily converted to use my own control IC, but it has a very-fine-pitch surface mount part that appears to be custom silicon, so I can’t easily drop in a programmable replacement. THe custom chip is probably partly to blame for why I couldn’t interface to it, since only Dynamic Controls knows how they implemented the UART. I did figure out where the H-bridge drive lines were, so if I felt like it, I could probably drive it, but the difficulty would probably be on par with making my own driver, and the results would be messier.

Shark Interface Still Not Working

Apparently, having figured out how the Shark joystick sends its information isn’t quite enough to get it working with the motor driver. I wrote software to send the same information that the joystick would usually send, but didn’t get a response. Then I assumed that the way the data lines both go high before serial signalling commences might have been some sort of init signal, so I have an Arduino configured to send the same information, and I still don’t get a response.

It’s entirely possible that I don’t have the bit timing exactly right for the serial link, so I’m now working on bitbanging the serial in a more adaptable way, so I can test different bit lengths.

I’m going to keep plugging away at it for a bit, but I also have a plan B: lobotomize the motor driver. Assuming it uses an ATMega8 like the controller, I can pull the control IC and replace it with one flashed with the Arduino bootloader, and then use rosserial_arduino to control it from ROS. That does mean I’d want to log what the controller does before pulling it, so I have a rough idea what signals go where, but it would vastly simplify controlling the system.

Further Hacking on the Shark

In my previous post, I described how the messages being passed between the joystick and motor driver of my wheelchair appeared to be a differential serial signal at 40,000 bits per second. The data appears to be call and response pairs. Messages from the joystick start with a ‘`’ character, messages from the motor controller start with an ‘a’.
Each message usually has 8 fields with a numerical value in them, and messages end with ’15’.

Tonight, I recorded the signal as I swept the joystick in a clockwise circle, starting at 12:00/full speed forward. Then I graphed the values of each of the fields.

Joystick messages

Fields one and two in messages from the joystick are the forward/backward and left/right axis of the joystick, respectively. The center position is around 128, full forward/left is 255, full backwards/right is 128, so dead center/off should be around 128 + (255-128)/2 or 191.

Field 4 is a very noisy signal between 191 and 128. It appears to peak with field 1 and bottom out with field 1, so it may be the raw magnetic joystick sensor value for that axis.

Field 8 is a very noisy signal between 128 and 255, with clear diagonal slopes at the maximum and minimum of field 1. It may also be related to the raw joystick signal.

Fields 3, 5, 6, and 7 are 191, 128, 132, and 128 all of the time. The joystick has four non-power-button buttons and a power button, and these fields are used to report their values.

Pressing the speed buttons raises and lowers field 3, from a maximum of 255 to a minimum of 128, in 4 steps. There exists a mode that changes the speed in finer steps, but as configured, this is the way my system works. When the speed is lower than half-speed, field 4 has the range of 191 to 128. When the speed is higher than half-speed, field 4’s range is 191 to 255.

Field 5 is 128 when the horn button is not pressed, and 130 when it is pressed.

Field 6 is 132 when the joystick is on and running, and raises to 140

Field 7 is 128 when the joystick is in motion mode, and 129 when it is in seat mode. In seat mode, forward and backward motion of the joystick results in up and down motion of the seat height actuator. The joystick does report left and right motion as well in chairlift mode, but it doesn’t have any effect.

Field 9 is 15, for end-of-message.

Motor driver messages

Fields 7 and 8 are mirror images of each other. Field 7’s minimum appears to be 128, and its maximum is 144. Field 8 maxes out at 236 and has a minimum of 220, so it appears to be 364-field 7. I’m not sure what this field’s value indicates, but it appears to vary with the joystick position, so it may be some sort of current monitor or motor speed monitoring signal.

Field 1 goes from 128 to 146 as the system powers on, and stays there unless the chairlift is used. It appears to transition sharply to 178 when the chairlift moves up, and back when the chairlift moves down, so it is probably connected to the magnetic reed switch that senses the chairlift position.

Field 2 drops from 192 to 128 as the system powers on, and stays there. Fields 3, 5, and 6 are 128 all the time.

Field 6 goes from 128 to 129 the message after the joystick enters chairlift mode, so it is probably an acknowledgement to the joystick that chairlift mode was entered.

Field 4 goes from 128 to 160 as the system powers on, and stays there most of the time. It returns to 128 whenever the chairlift is not moving, so it may be related to breaking or motor activation. Before field 4 goes to 160, the joystick does not send any position commands, so the fields from 1 to 6 may be state signals that the motor driver sends to the joystick.

Field 9 is usually the end-of-packet field, but there are regular messages from the motor driver that are of the form

a '146' '128' '128' '160' '128' '128' '135' '229' '26' '133' '167' '185' '15'

rather than the more usual

a '146' '128' '128' '160' '128' '128' '135' '229' '15'
.

The additional values do not appear to change. The longer messages occur every 49th message, regularly, and starting with the second message from the motor driver, so I do not think that they are glitches.

Reverse Engineering the Dynamic Controls Shark Joystick

No, not a joystick that lets you drive a shark. It’s a joystick for a mobility scooter or powerchair, as is used by people with disabilities.

There are a lot of resources on the internet that claim that the joystick uses CAN-Bus. This is because the signal is differential (there’s a “high” and “low” data line, and they are inversions of each other). However, I don’t think that this is the case. The microcontroller used in the joystick is the ATMega8, which doesn’t have a CAN controller. There are no CAN controllers or tranceivers in the joystick. On top of that, my friend Seth‘s Saleae logic analyzer can’t make head nor tails of the protocol using the normal CAN analysis modes.

So if it’s not CAN, what is it? There is an LM339 in the joystick, and another one in the motor control unit. These are quad differential comparators, and would be pretty handy if you wanted to hack your own differential serial lines, for noise immunity.

The asynchronous serial decoder of the logic analyzer did manage to decode the serial bit stream at 40000bps.

If the joystick data lines are unplugged and it is powered up, the only output is

t '129' '137' '134' '128' '133' '138' '166' '130' '196' '15'

repeated every 20ms (19.96937, actually, but who’s counting?).

If the joystick is plugged in, the startup does this:

t '129' '137' '134' '128' '133' '138' '166' '130' '196' '15'
'5' '130' '248' '15'
` '192' '191' '192' '141' '128' '140' '128' '199' '15'
a '128' '128' '128' '128' '128' '128' '128' '158' '15'
` '192' '191' '192' '141' '128' '140' '128' '199' '15'
a '128' '192' '128' '128' '128' '128' '128' '222' '26' '133' '167' '185' '15'
` '192' '191' '192' '141' '128' '140' '128' '199' '15'
a '128' '192' '128' '128' '128' '128' '128' '222' '15'
` '192' '191' '192' '141' '128' '140' '128' '199' '15'

I wrote a little script that parses the CSV output of the logic analyzer software and just prints a newline after each ’15’.

The main thing to notice about this is that the same initialization value is sent, but then it falls into a sort of call and response, with every other line starting with ‘a’ or ‘`’.

My guess is that these are communications passing back and forth between the joystick and the motor controller. I logged 20 seconds of the wheelchair sitting still and then counted all the unique messages that passed between the joystick and the motor controller.

Assuming that the above startup sequence is call and response, the message starting with ‘t’ and the ones starting with ‘`’ are the joystick, and the ones starting with ‘a’ are from the motor driver.

I sorted the commands out and counted the unique messages. They break down like this:


1 ` '191' '190' '192' '189' '128' '132' '128' '161' '15'
1 ` '191' '191' '192' '186' '128' '132' '128' '163' '15'
1 ` '192' '191' '192' '128' '128' '140' '128' '212' '15'
1 ` '192' '191' '192' '130' '128' '132' '128' '218' '15'
1 '5' '130' '248' '15'
1 a '128' '192' '128' '128' '128' '128' '128' '222' '26' '133' '167' '185' '15'
1 t '129' '137' '134' '128' '133' '138' '166' '130' '196' '15'
2 ` '191' '190' '192' '174' '128' '132' '128' '176' '15'
3 ` '191' '191' '192' '184' '128' '140' '128' '157' '15'
10 a '128' '192' '128' '128' '128' '128' '128' '222' '15'
14 ` '192' '190' '192' '135' '128' '132' '128' '214' '15'
20 a '146' '128' '128' '128' '128' '128' '128' '140' '26' '133' '167' '185' '15'
21 a '128' '128' '128' '128' '128' '128' '128' '158' '15'
22 ` '192' '191' '192' '129' '128' '132' '128' '219' '15'
34 ` '191' '191' '192' '176' '128' '132' '128' '173' '15'
37 ` '192' '191' '192' '128' '128' '132' '128' '220' '15'
40 ` '191' '190' '192' '190' '128' '132' '128' '160' '15'
57 ` '191' '190' '192' '182' '128' '132' '128' '168' '15'
70 ` '191' '191' '192' '185' '128' '132' '128' '164' '15'
139 ` '191' '190' '192' '183' '128' '132' '128' '167' '15'
290 ` '191' '191' '192' '184' '128' '132' '128' '165' '15'
294 ` '191' '190' '192' '191' '128' '132' '128' '159' '15'
954 a '146' '128' '128' '128' '128' '128' '128' '140' '15'

Most of the unique messages are from the joystick, and almost all of the messages sent back are the one at the bottom, with 954 occurances.

Let’s compare the messages from the motor controller. Bear in mind that nothing is moving at this point.


1 '5' '130' '248' '15'
1 a '128' '192' '128' '128' '128' '128' '128' '222' '26' '133' '167' '185' '15'
10 a '128' '192' '128' '128' '128' '128' '128' '222' '15'
20 a '146' '128' '128' '128' '128' '128' '128' '140' '26' '133' '167' '185' '15'
21 a '128' '128' '128' '128' '128' '128' '128' '158' '15'
954 a '146' '128' '128' '128' '128' '128' '128' '140' '15'

The first one is the startup acknowledgement. It never occurs again.

The next one and the one that occurs 20 times look similar, in that they both have four extra numbers in them. The first, second, and eighth values are the only ones that vary between them.

The one that occurs ten times mtches the one that occurs 21 times, except for the second and eighth fields, and doesn’t have the extended part.

The third through seventh fields are always ‘128’.

The first and second fields are always ‘128’, ‘146’, or ‘192’. The eighth field is always ‘222’, ‘140’, or ‘158’. The nineth field is either 26 or the end of transmission marker ’15’.

So what does all this mean?

I suspect that at least one of the values has something to do with the battery. The battery connects to the motor driver, but there is a battery level display on the joystick, so the motor driver must communicate some battery level information to the joystick.

The messages from the joystick have a similar pattern.


1 ` '191' '190' '192' '189' '128' '132' '128' '161' '15'
1 ` '191' '191' '192' '186' '128' '132' '128' '163' '15'
1 ` '192' '191' '192' '128' '128' '140' '128' '212' '15'
1 ` '192' '191' '192' '130' '128' '132' '128' '218' '15'
2 ` '191' '190' '192' '174' '128' '132' '128' '176' '15'
3 ` '191' '191' '192' '184' '128' '140' '128' '157' '15
14 ` '192' '190' '192' '135' '128' '132' '128' '214' '15'
22 ` '192' '191' '192' '129' '128' '132' '128' '219' '15'
34 ` '191' '191' '192' '176' '128' '132' '128' '173' '15'
37 ` '192' '191' '192' '128' '128' '132' '128' '220' '15'
40 ` '191' '190' '192' '190' '128' '132' '128' '160' '15'
57 ` '191' '190' '192' '182' '128' '132' '128' '168' '15'
70 ` '191' '191' '192' '185' '128' '132' '128' '164' '15'
139 ` '191' '190' '192' '183' '128' '132' '128' '167' '15'
290 ` '191' '191' '192' '184' '128' '132' '128' '165' '15'
294 ` '191' '190' '192' '191' '128' '132' '128' '159' '15'

The first and second values vary, but only slightly. The third value does not vary. the fourth value varies over the range 128-191. The fifth value does not vary. The sixth value varies, the seventh does not, the eighth does.

The joystick is a 4-axis device, with three buttons and a pair of binary inputs. My hope is that the values reported are something like the four joystick axes and the buttons, but the numbers don’t quite line up, as there are more buttons (5, three buttons plus two input jacks) than values left over after subtracting the joystick axes. Unless the jacks are in parallel with the buttons, that’s not what’s going on.

Recording from the data lines while the joystick is held in the forward position gives these unique lines:


1 ` '128' '191' '192' '134' '128' '132' '128' '150' '15'
1 ` '128' '192' '192' '130' '128' '132' '128' '153' '15'
1 ` '128' '192' '192' '132' '128' '132' '128' '151' '15'
1 ` '128' '193' '192' '131' '128' '132' '128' '151' '15'
1 ` '129' '191' '192' '165' '128' '132' '128' '246' '15'
1 ` '131' '191' '192' '170' '128' '132' '128' '239' '15'
1 ` '133' '191' '192' '176' '128' '132' '128' '231' '15'
1 ` '135' '190' '192' '191' '128' '132' '128' '215' '15'
1 ` '137' '190' '192' '190' '128' '132' '128' '214' '15'
1 ` '140' '190' '192' '135' '128' '132' '128' '138' '15'
1 ` '142' '191' '192' '130' '128' '132' '128' '140' '15'
1 ` '144' '191' '192' '156' '128' '132' '128' '240' '15'
1 ` '146' '191' '192' '156' '128' '132' '128' '238' '15'
1 ` '148' '191' '192' '149' '128' '132' '128' '243' '15'
1 ` '150' '191' '192' '150' '128' '132' '128' '240' '15'
1 ` '152' '191' '192' '164' '128' '132' '128' '224' '15'
1 ` '154' '191' '192' '186' '128' '132' '128' '200' '15'
1 ` '157' '191' '192' '153' '128' '132' '128' '230' '15'
1 ` '160' '191' '192' '136' '128' '132' '128' '244' '15'
1 ` '163' '191' '192' '145' '128' '132' '128' '232' '15'
1 ` '166' '191' '192' '153' '128' '132' '128' '221' '15'
1 ` '169' '191' '192' '161' '128' '132' '128' '210' '15'
1 ` '172' '191' '192' '145' '128' '132' '128' '223' '15'
1 ` '174' '191' '192' '179' '128' '132' '128' '187' '15'
1 ` '177' '191' '192' '139' '128' '132' '128' '224' '15'
1 ` '179' '191' '192' '139' '128' '132' '128' '222' '15'
1 ` '180' '191' '192' '188' '128' '132' '128' '172' '15'
1 ` '182' '191' '192' '181' '128' '132' '128' '177' '15'
1 ` '184' '191' '192' '172' '128' '132' '128' '184' '15'
1 ` '186' '191' '192' '172' '128' '132' '128' '182' '15'
1 ` '188' '191' '192' '140' '128' '132' '128' '212' '15'
1 ` '189' '191' '192' '156' '128' '132' '128' '195' '15'
1 ` '190' '191' '192' '132' '128' '132' '128' '218' '15'
1 ` '190' '191' '192' '147' '128' '132' '128' '203' '15'
1 ` '190' '191' '192' '163' '128' '132' '128' '187' '15'
1 ` '190' '191' '192' '171' '128' '132' '128' '179' '15'
1 ` '190' '191' '192' '172' '128' '132' '128' '178' '15'
1 ` '190' '191' '192' '181' '128' '132' '128' '169' '15'
1 ` '190' '191' '192' '190' '128' '132' '128' '160' '15'
1 ` '191' '191' '192' '141' '128' '132' '128' '208' '15'
1 ` '191' '191' '192' '173' '128' '132' '128' '176' '15'
1 ` '192' '191' '192' '133' '128' '140' '128' '207' '15'
1 ` '192' '191' '192' '135' '128' '132' '128' '213' '15'
1 ` '192' '191' '192' '150' '128' '132' '128' '198' '15'
1 '5' '130' '248' '15'
1 a '128' '192' '128' '128' '128' '128' '128' '222' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '134' '230' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '141' '223' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '145' '219' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '129' '142' '222' '15'
1 a '146' '128' '128' '160' '132' '128' '135' '229' '15'
1 a '146' '128' '128' '176' '128' '128' '145' '219' '15'
1 a '146' '128' '132' '160' '128' '128' '146' '218' '15'
1 a '146' '129' '128' '160' '128' '128' '141' '223' '15'
1 a '146' '132' '128' '160' '128' '128' '143' '221' '15'
1 a '146' '132' '128' '160' '130' '128' '146' '218' '15'
1 t '129' '137' '134' '128' '133' '138' '166' '130' '196' '15'
2 ` '128' '191' '192' '133' '128' '132' '128' '151' '15'
2 ` '128' '191' '192' '135' '128' '132' '128' '149' '15'
2 ` '128' '192' '192' '134' '128' '132' '128' '149' '15'
2 ` '128' '194' '192' '130' '128' '132' '128' '151' '15'
2 ` '191' '191' '192' '188' '128' '132' '128' '161' '15'
2 ` '192' '191' '192' '131' '128' '132' '128' '217' '15'
2 ` '192' '191' '192' '140' '128' '132' '128' '208' '15'
2 a '146' '128' '128' '160' '128' '128' '146' '218' '26' '133' '167' '185' '15'
3 ` '128' '191' '192' '131' '128' '132' '128' '153' '15'
3 ` '192' '191' '192' '143' '128' '132' '128' '205' '15'
3 a '146' '128' '128' '128' '128' '128' '128' '140' '26' '133' '167' '185' '15'
4 a '146' '128' '128' '160' '128' '128' '130' '234' '15'
4 a '146' '128' '128' '160' '128' '128' '131' '233' '15'
4 a '146' '128' '128' '160' '128' '128' '136' '228' '15'
5 ` '128' '191' '192' '132' '128' '132' '128' '152' '15'
5 ` '128' '192' '192' '128' '128' '132' '128' '155' '15'
5 a '146' '128' '128' '160' '128' '128' '129' '235' '15'
5 a '146' '128' '128' '160' '128' '128' '133' '231' '15'
5 a '146' '128' '128' '160' '128' '128' '134' '230' '15'
5 a '146' '128' '128' '160' '128' '128' '138' '226' '15'
6 ` '128' '193' '192' '130' '128' '132' '128' '152' '15'
6 ` '192' '191' '192' '134' '128' '132' '128' '214' '15'
6 a '146' '128' '128' '160' '128' '128' '132' '232' '15'
6 a '146' '128' '128' '160' '128' '128' '137' '227' '15'
7 a '146' '128' '128' '160' '128' '128' '139' '225' '15'
7 a '146' '128' '128' '160' '128' '128' '141' '223' '15'
8 a '146' '128' '128' '160' '128' '128' '140' '224' '15'
9 ` '128' '193' '192' '129' '128' '132' '128' '153' '15'
9 ` '128' '193' '192' '132' '128' '132' '128' '150' '15'
9 ` '192' '191' '192' '141' '128' '140' '128' '199' '15'
9 a '146' '128' '128' '160' '128' '128' '145' '219' '15'
10 a '128' '192' '128' '128' '128' '128' '128' '222' '15'
10 a '146' '128' '128' '160' '128' '128' '135' '229' '15'
10 a '146' '128' '128' '160' '128' '128' '142' '222' '15'
10 a '146' '128' '128' '160' '128' '128' '143' '221' '15'
12 ` '128' '192' '192' '135' '128' '132' '128' '148' '15'
12 ` '128' '193' '192' '133' '128' '132' '128' '149' '15'
12 a '146' '128' '128' '160' '128' '128' '128' '236' '15'
12 a '146' '128' '128' '160' '128' '128' '144' '220' '15'
15 ` '128' '193' '192' '128' '128' '132' '128' '154' '15'
20 ` '128' '193' '192' '134' '128' '132' '128' '148' '15'
21 a '128' '128' '128' '128' '128' '128' '128' '158' '15'
24 ` '128' '194' '192' '129' '128' '132' '128' '152' '15'
25 ` '192' '191' '192' '141' '128' '132' '128' '207' '15'
26 ` '192' '191' '192' '142' '128' '132' '128' '206' '15'
30 ` '192' '191' '192' '133' '128' '132' '128' '215' '15'
33 ` '192' '191' '192' '132' '128' '132' '128' '216' '15'
63 ` '128' '194' '192' '128' '128' '132' '128' '153' '15'
64 ` '128' '193' '192' '135' '128' '132' '128' '147' '15'
126 a '146' '128' '128' '128' '128' '128' '128' '140' '15'
135 a '146' '128' '128' '160' '128' '128' '146' '218' '15'

Breaking out the motor driver packets gives:


1 a '128' '192' '128' '128' '128' '128' '128' '222' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '134' '230' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '141' '223' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '128' '145' '219' '26' '133' '167' '185' '15'
1 a '146' '128' '128' '160' '128' '129' '142' '222' '15'
1 a '146' '128' '128' '160' '132' '128' '135' '229' '15'
1 a '146' '128' '128' '176' '128' '128' '145' '219' '15'
1 a '146' '128' '132' '160' '128' '128' '146' '218' '15'
1 a '146' '129' '128' '160' '128' '128' '141' '223' '15'
1 a '146' '132' '128' '160' '128' '128' '143' '221' '15'
1 a '146' '132' '128' '160' '130' '128' '146' '218' '15'
2 a '146' '128' '128' '160' '128' '128' '146' '218' '26' '133' '167' '185' '15'
3 a '146' '128' '128' '128' '128' '128' '128' '140' '26' '133' '167' '185' '15'
4 a '146' '128' '128' '160' '128' '128' '130' '234' '15'
4 a '146' '128' '128' '160' '128' '128' '131' '233' '15'
4 a '146' '128' '128' '160' '128' '128' '136' '228' '15'
5 a '146' '128' '128' '160' '128' '128' '129' '235' '15'
5 a '146' '128' '128' '160' '128' '128' '133' '231' '15'
5 a '146' '128' '128' '160' '128' '128' '134' '230' '15'
5 a '146' '128' '128' '160' '128' '128' '138' '226' '15'
6 a '146' '128' '128' '160' '128' '128' '132' '232' '15'
6 a '146' '128' '128' '160' '128' '128' '137' '227' '15'
7 a '146' '128' '128' '160' '128' '128' '139' '225' '15'
7 a '146' '128' '128' '160' '128' '128' '141' '223' '15'
8 a '146' '128' '128' '160' '128' '128' '140' '224' '15'
9 a '146' '128' '128' '160' '128' '128' '145' '219' '15'
10 a '128' '192' '128' '128' '128' '128' '128' '222' '15'
10 a '146' '128' '128' '160' '128' '128' '135' '229' '15'
10 a '146' '128' '128' '160' '128' '128' '142' '222' '15'
10 a '146' '128' '128' '160' '128' '128' '143' '221' '15'
12 a '146' '128' '128' '160' '128' '128' '128' '236' '15'
12 a '146' '128' '128' '160' '128' '128' '144' '220' '15'
21 a '128' '128' '128' '128' '128' '128' '128' '158' '15'
126 a '146' '128' '128' '128' '128' '128' '128' '140' '15'
135 a '146' '128' '128' '160' '128' '128' '146' '218' '15'

Now it seems that every value varies at least once. I’m not sure yet what to make of this, but I feel like I’m on the right track.

I've been had!

I got a “5600mAh” power bank from Aliexpress. It’s an electronic item direct from China at low, low prices, so I assumed it was going to not measure up in some way or other, but until I got it, I didn’t know how.

Overall, the build quality isn’t bad. The case is molded plastic, and snaps together. It’s nice looking and feels solid. The power management PCB in it seems to have good quality solder joints. Not too shabby, and I don’t expect it to catch fire or anything.

The batteries, on the other hand, are where it falls down. The device has two cells in it, 18650 size, 1200mAh each (if their labels are to be believed). They are in parallel, which gets me a total of 2400mAh. That’s slightly more than half of the advertised capacity. Since 5600 isn’t an even multiple of 1200, there’s no way they could get 5600mAh using these batteries, even if they did want a product that could live up to their claims.

For ~$9, I don’t think it’s worth making a fuss over, but now I know what to expect from this device.

Toy Helicopter Hacking

This Christmas, my parents gave me a palm-sized toy helicopter (Avatar Z008), and my girlfriend’s parents gave me a slightly bigger toy helicopter with a video camera (Egofly Spyhawk). I also have one that I bought myself (Syma S107). All of them are gyro-stabilized, coaxial-rotor helicopters, which basically just means that they automatically don’t roll, and are easy to fly.

I had hoped to convert one of them into a tiny drone. I opened up the S107 this morning to take a look at the internal PCB. The IR signal from the remote goes to an unmarked 14-pin IC. The gyro (which I assume to be the little metal can mounted on a daugther board from the main PCB) is marked, with “C 146” and “Y2373”. One pin of the gyro is grounded, one, marked “TLY” is connected to the unmarked IC, and one goes to Vcc. That is pretty clearly power, ground, and a signal pin.

This means any control that the system is doing based on the gyro is done by that unmarked IC. Chances are that re-implementing the gyro control would be amusing, but much harder than simply adding whatever drone control I decided to add “on top of” the existing hardware.

An easier approach would be to take advantage of work that other people have done on reverse-engineering the IR protocol, and add my own control circuit that sends IR control signals to the existing board. That way, the existing board would take care of driving the motors and keeping the helicopter balanced, while my board would add autonomy.

Downward and front facing versions of SpeckleSense could be used to give the helicopter a sense of its movement in the world, which might be good enough for dead-reckoning navigation over small distances.

Rave in a Briefcase

As part of preparations for a local party, I am building a sound system to fit in a small suitcase and run on 12V DC. The system consists of a small DJ mixing deck and a car audio amplifier. Powering the car amp is easy, as it was designed to take 12V DC power. Powering the mixing deck is not so easy.

Mixers are audio gear, so they tend to have audio signals that are AC, and have components above and below 0V. As a result, they have double-ended power supplies. For the mixer I have, there is an 18V AC power brick, which gets rectified, filtered, and put through a +15V regulator and a -15v regulator. 15, being higher than 12, is an inconvenient number of volts to get out of a 12V battery. Since it’s double-ended, I really need a voltage spread of 30V, with a 0V rail in the middle.

The simple, stupid way to do this is to power the rig with two 12V batteries and two 6V batteries. Across each set of one 6V and one 12V, I would have 18V, and if each of the pairs of batteries shared a common ground, that would be my 0V rail. Unfortunately, I’d also have to manage charging, connecting, and monitoring charge on all of those batteries, not to mention carrying them to wherever I was using the audio. Lead-acid batteries are heavy. Since this is inelegant, heavy, and requires lots of fiddling, I’m going to call it “Plan C” and only do it if everything else fails.

Another simple solution is to use a 12V DC to 120V AC inverter. That takes up a lot of space, and isn’t all that efficient, but it means I don’t have to build a replacement power supply for the amplifier. I have all the parts for it, and it requires less hauling and fiddling than Plan C, but it is still inefficient, so this is “Plan B”.

Since the AC wall wart is rated for 300mA, I have an upper bound on what the mixer can draw. That means I can start looking into DC/DC converters. Vicor makes a 12V to 15V converter, but it costs $99 dollars and I would need two of them. Since I don’t need a lot of current, I can probably make a pair of step-up converters that have a 15-18V output. This site has a simple schematic, and more importantly, the equation for the output voltage, given the current and frequency of a switching circuit in the converter. The control IC takes care of monitoring the output voltage and varying the frequency, but I may be able to use a simpler circuit and change the frequency by splitting off part of the output voltage and feeding it back to the RC timer circuit.The whole circuit would be small, and probably more efficient than using an inverter and the power supply of the mixer.

Hacking LG Phone Chargers

I have an LG Lotus phone. It charges over a USB cable, which plugs into a USB-like port on the charger. I recently wanted to be able to charge my phone in the woods of Vermont, where outlets to plug a charger into are few and far between. To fix this, I built a simple regulator that draws power from a 7.2V RC car battery and provides 5V DC to a USB jack.

My cell phone charger

Unfortunately, when I plugged my phone into it, the phone displayed a message that said “Please use only genuine LJ accessories”.

To figure out how the phone identified the charger, I opened the charger up. I had visions of LG using an I2C EEPROM to store a unique identifier or some sort of crypto chip performing a handshake with the phone based on a shared secret that was baked in at the factory.

The bottom of the charger PCB

In reality, it’s nothing that complicated. The data lines of the USB port are connected to each other. This means that anything the phone sends down one data line will show back up on the other one, so it can detect the connected pins by driving one line high and seeing if the other line also goes high. I connected the data pins on my homebrew charger, and the phone started charging from it.